Skip to main content

MLflow CVE-2026-2393

| EUVDEUVD-2026-29093 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-11 @huntr_ai GHSA-65h7-c7c4-mghx
7.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Red Hat
8.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
May 11, 2026 - 18:02 EUVD
Source Code Evidence Fetched
May 11, 2026 - 17:45 vuln.today
Analysis Generated
May 11, 2026 - 17:45 vuln.today
CVE Published
May 11, 2026 - 16:30 nvd
HIGH 7.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 pypi packages depend on mlflow (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.9.0.

DescriptionCVE.org

A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The _create_webhook() function in mlflow/server/handlers.py accepts a user-controlled url parameter without validation, and the _send_webhook_request() function in mlflow/webhooks/delivery.py sends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the MLflow backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation on the webhook URL enables exploitation, potentially leading to cloud credential theft, internal network access, and data exfiltration.

AnalysisAI

Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to arbitrary URLs, including internal services and cloud metadata endpoints (e.g., AWS EC2 metadata at 169.254.169.254). Affects MLflow versions prior to 3.9.0. The webhook creation endpoint accepts unvalidated user-controlled URLs that are later used in HTTP POST requests, enabling cloud credential theft, internal network reconnaissance, and data exfiltration. Vendor-released patch available in MLflow 3.9.0, confirmed by GitHub commit 64aa0ab. No active exploitation confirmed (not in CISA KEV), but publicly disclosed with detailed technical analysis from huntr.com.

Technical ContextAI

MLflow is an open-source platform for managing machine learning lifecycles, including experiment tracking and model deployment. The vulnerability exists in the webhook delivery mechanism implemented in Python. The _create_webhook() function in mlflow/server/handlers.py accepts a URL parameter from authenticated users without validation. This URL is stored and later used by _send_webhook_request() in mlflow/webhooks/delivery.py to send HTTP POST requests. The lack of input sanitization against CWE-918 (Server-Side Request Forgery) allows attackers to specify internal network addresses (RFC1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback addresses (127.0.0.0/8, ::1), link-local addresses (169.254.0.0/16 including cloud metadata endpoints), and other non-routable ranges. The fix in version 3.9.0 implements URL scheme validation (HTTPS-only), hostname resolution via socket.getaddrinfo(), and IP address classification using Python's ipaddress module to reject non-global addresses using the is_global property. An environment variable MLFLOW_WEBHOOK_ALLOW_PRIVATE_IPS provides override capability for local development environments.

RemediationAI

Upgrade to MLflow version 3.9.0 or later, which implements comprehensive SSRF protection including HTTPS-only URL scheme validation, hostname resolution checks, and IP address classification to block private, loopback, link-local, and reserved addresses. The fix is confirmed in commit 64aa0ab7207f9c649b59ba1a5f40d82196817389 available at https://github.com/mlflow/mlflow/commit/64aa0ab7207f9c649b59ba1a5f40d82196817389. If immediate patching is not feasible, implement network-level controls: deploy egress filtering rules to block MLflow server outbound connections to RFC1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and cloud metadata endpoints (169.254.169.254/32), though this may break legitimate webhook integrations requiring internal network access. Restrict webhook creation permissions to highly trusted administrative users only via MLflow's permission model. Monitor MLflow logs for webhook creation events and HTTP request patterns targeting suspicious destinations. Note that the workaround firewall rules must block DNS resolution to private IPs, not just direct IP literals, as attackers can use DNS rebinding or public domains resolving to internal addresses. Audit existing webhooks for suspicious URLs using the MLflow API or database inspection before deploying the patch, as the fix validates URLs at delivery time for pre-existing webhooks.

CVE-2026-0545 CRITICAL POC
9.8 Apr 03

MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without

CVE-2025-15036 CRITICAL
10.0 Mar 30

Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr

CVE-2025-15379 CRITICAL
9.8 Mar 30

Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m

CVE-2026-2611 CRITICAL
9.6 May 19

Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect

CVE-2025-15031 CRITICAL
9.1 Mar 18

MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc

CVE-2026-2651 CRITICAL
9.0 May 25

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode

CVE-2025-14287 HIGH
8.8 Mar 15

Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by

CVE-2026-8147 HIGH
8.1 Jul 02

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to

CVE-2026-0596 HIGH
7.8 Mar 31

Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar

CVE-2026-4035 HIGH
7.7 Jun 03

Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive

CVE-2026-2614 HIGH
7.5 May 11

Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.

CVE-2025-15381 HIGH
7.1 Mar 27

MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated

Vendor StatusVendor

Share

CVE-2026-2393 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy